What’s this RBAC in Exchange Server 2010 anyway? – Part 3

I am sorry to realize that It has been ages since my last post. There has just been a lot of other things that needed my attention. But now I am back and I will start with this last post in my series of posts about Role Based Access Control. In this post I will focus on different examples. If you have another example you would presented here please let me know. And if you find an error of any sort or have any questions or thoughts about it please do not hesitate to drop a comment or contact me.

 

Scenario 1 – Adding users to role groups

We will start with a simple scenario where we want to add two users to different role groups, Help Desk and Organization Management. We will use both ECP and EMS and we will start with EMS.

Example 1 – Adding the user Test8 to the Help Desk role group using EMS

This is done using a simple one-liner:
Add-RoleGroupMember <role group name> -Member <member>

Example:
Add-RoleGroupMember “Help Desk” -Member Test8

rbac1

To list all members of the Help Desk group use the following command:
Get-RoleGroupMember “Help Desk”

rbac2

 
Example 2 – Adding the user Test8 to the Help Desk role group using ECP

Using the ECP involves several more steps then using the EMS one-liner. I will start with showing you where you can find the Organizational settings in ECP. In Outlook Web App choose Options and then See All Options.

rbac3

In ECP, click on Manage Myself and choose My Organization.

rbac4

To view the Role Groups click on Roles & Auditing.

rbac5

In the work pane you will see a list of all Role Groups including Help Desk that we are looking for. Double-click Help Desk or select Help Desk and click Details to open the details window.

rbac6

To add a new member to the Role Group, click Add in the Members section.

rbac7

Select the users, USGs, or other role groups you want to add to the role group, and then click OK.

rbac8

Click Save to save the changes to the role group.

rbac9

It is strongly recommended to use the built-in Role Groups as far as possible and only add own Role Groups if it is absolutely necessary.

 

Scenario 2 – Create a new role group

Next we will create two new role groups, on with a custom scope and one with a OU scope.

Example 1 – New role group with custom scope

For this example we will use the ECP to create the new role group. I will not explain the initial steps for ECP, you can find more information on that under Scenario 1 – Example 2.

Before we can create the group we will have to create the custom scope. This can only be done using EMS. In the following example we will create a scope with a filter to include all users in the department Sales.

New-ManagementScope -Name "Mailboxes in department IT" -RecipientRestrictionFilter {Department -Eq "IT"}

rbac11

More information about management role scope filters syntax can be found here: http://technet.microsoft.com/en-us/library/dd298043.aspx

When we have the management scope in place we can move on to create the role group. Navigate to the Administrator Roles tab, Role Groups, click New.

rbac10

Enter a name and description for the new role group and for Write Scope choose our newly created management scope Mailboxes in department Sales.

rbac12

To add a management role for the role group click Add under Roles. In the new window add the roles by selecting them ad click add, click Ok when finished.

rbac13

To add members to this role group click Add under Members. In the new windows add the groups and mailboxes by selecting them and click add, click Ok when finished.

rbac14

Review the settings and click Ok when finished.

rbac15

In this example we created a new role group that affects all mailboxes in the department Sales. We added the user Test and the management roles Mailbox Recipients which enables the user to manage existing mailboxes, mail users, and mail contacts.

Example 2 – New role group with OU scope

For this example we will use the EMS to create the new role group based on an OU scope. Start by opening Exchange Management Shell, and then have a look at the following command:

New-RoleGroup -Name <role group name> -Roles <roles to assign> -RecipientOrganizationalUnitScope <OU name>

Let us create a new group and add the role Mail Recipients Role for the OU IT Support:

New-RoleGroup -Name "Mailboxes in OU IT Support" -Roles "Mail Recipients" -RecipientOrganizationalUnitScope "IT Support"

rbac16

 

 

Scenario 3 – Remove a role group

There will probably be a time where you would want to remove a role group for some reason.

Example 1 – Remove a role group using EMS

I will show you how to do this using Exchange Management Shell. Use the following command:

Remove-RoleGroup –Identity <RoleGroupIdentity>

In the example we remove the role group we created in Scenario 2 – Example 2:

Remove-RoleGroup "Mailboxes in OU IT Support"

rbac17

 

 

Scenario 4 – Working with assignment policies to enable users to manage their own mailboxes and properties

In this scenario we will create a new assignment policy and add a role to the policy to enable users to manage information related to their own mailboxes.

Example 1 – New assignment policy using ECP

First we will create a new assignment policy, in Outlook Web App choose Options and then See All Options.

rbac3

In ECP, click on Manage Myself and choose My Organization.

rbac4

To view the Assignment Policies click on Roles & Auditing and then User Roles. Click on New to start creating a new policy.

rbac18

Start with entering a name for the assignment policy, Profile information for my example.

rbac19

We are going to add roles to control Profile information for the user. Check MyProfileInformation, this will also check the roles MyDisplayName and MyName.

rbac20

Also make sure that you check MyBaseOptions, this enables the users to use ECP.

rbac22

More information on built in management roles can be found here:
http://technet.microsoft.com/en-us/library/dd638077.aspx

Click on Save to create the assignment policy.

rbac21

Example 2 – Change the Assignment Policy on a Mailbox

The next step in this scenario is to change the assignment policy on a mailbox. Open EMC and navigate to Recipient Configuration and Mailbox. Right click on the mailbox you want to change and choose properties.

Click on the tab Mailbox Settings, select Role Assignment Policy and click properties.

rbac23

Click on Browse, this opens a new dialog window.

rbac24

Select the Assignment Policy you want to change to and then click Ok.

rbac25

Check that the correct Assignment Policy is listed and then click Ok.

rbac26

Click Ok to close the mailbox properties window. You now have the correct Assignment Policy applied on the mailbox and this should have immediate effect on the mailbox.

That is all for this time, I hope that you find the examples useful and if you have any ideas on other examples you would like me to include in this post just let me know. And as usual, if you find any errors or have any further questions do not hesitate to post a comment. Thanks for reading!

Part 1 in this series can be found here!

Part 2 in this series can be found here!

Part 3 in this series can be found here!

Advertisements

What’s this RBAC in Exchange Server 2010 anyway? – Part 3

I am sorry to realize that It has been ages since my last post. There has just been a lot of other things that needed my attention. But now I am back and I will start with this last post in my series of posts about Role Based Access Control. In this post I will focus on different examples. If you have another example you would presented here please let me know. And if you find an error of any sort or have any questions or thoughts about it please do not hesitate to drop a comment or contact me.

Scenario 1 – Adding users to role groups

We will start with a simple scenario where we want to add two users to different role groups, Help Desk and Organization Management. We will use both ECP and EMS and we will start with EMS.

Example 1 – Adding the user Test8 to the Help Desk role group using EMS

This is done using a simple one-liner:
Add-RoleGroupMember <role group name> -Member <member>

Example:
Add-RoleGroupMember “Help Desk” -Member Test8

rbac1

To list all members of the Help Desk group use the following command:
Get-RoleGroupMember “Help Desk”

rbac2

Example 2 – Adding the user Test8 to the Help Desk role group using ECP

Using the ECP involves several more steps then using the EMS one-liner. I will start with showing you where you can find the Organizational settings in ECP. In Outlook Web App choose Options and then See All Options.

rbac3

In ECP, click on Manage Myself and choose My Organization.

rbac4

To view the Role Groups click on Roles & Auditing.

rbac5

In the work pane you will see a list of all Role Groups including Help Desk that we are looking for. Double-click Help Desk or select Help Desk and click Details to open the details window.

rbac6

To add a new member to the Role Group, click Add in the Members section.

rbac7

Select the users, USGs, or other role groups you want to add to the role group, and then click OK.

rbac8

Click Save to save the changes to the role group.

rbac9

It is strongly recommended to use the built-in Role Groups as far as possible and only add own Role Groups if it is absolutely necessary.

Scenario 2 – Create a new role group

Next we will create two new role groups, on with a custom scope and one with a OU scope.

Example 1 – New role group with custom scope

For this example we will use the ECP to create the new role group. I will not explain the initial steps for ECP, you can find more information on that under Scenario 1 – Example 2.

Before we can create the group we will have to create the custom scope. This can only be done using EMS. In the following example we will create a scope with a filter to include all users in the department Sales.

New-ManagementScope -Name “Mailboxes in department IT” -RecipientRestrictionFilter {Department -Eq “IT”}

rbac11

More information about management role scope filters syntax can be found here: http://technet.microsoft.com/en-us/library/dd298043.aspx

When we have the management scope in place we can move on to create the role group. Navigate to the Administrator Roles tab, Role Groups, click New.

rbac10

Enter a name and description for the new role group and for Write Scope choose our newly created management scope Mailboxes in department Sales.

rbac12

To add a management role for the role group click Add under Roles. In the new window add the roles by selecting them ad click add, click Ok when finished.

rbac13

To add members to this role group click Add under Members. In the new windows add the groups and mailboxes by selecting them and click add, click Ok when finished.

rbac14

Review the settings and click Ok when finished.

rbac15

In this example we created a new role group that affects all mailboxes in the department Sales. We added the user Test and the management roles Mailbox Recipients which enables the user to manage existing mailboxes, mail users, and mail contacts.

Example 2 – New role group with OU scope

For this example we will use the EMS to create the new role group based on an OU scope. Start by opening Exchange Management Shell, and then have a look at the following command:

New-RoleGroup -Name <role group name> -Roles <roles to assign> -RecipientOrganizationalUnitScope <OU name>

Let us create a new group and add the role Mail Recipients Role for the OU IT Support:

New-RoleGroup -Name “Mailboxes in OU IT Support” -Roles “Mail Recipients” -RecipientOrganizationalUnitScope “IT Support”

rbac16

Scenario 3 – Remove a role group

There will probably be a time where you would want to remove a role group for some reason.

Example 1 – Remove a role group using EMS

I will show you how to do this using Exchange Management Shell. Use the following command:

Remove-RoleGroup –Identity <RoleGroupIdentity>

In the example we remove the role group we created in Scenario 2 – Example 2:

Remove-RoleGroup “Mailboxes in OU IT Support”

rbac17

Scenario 4 – Working with assignment policies to enable users to manage their own mailboxes and properties

In this scenario we will create a new assignment policy and add a role to the policy to enable users to manage information related to their own mailboxes.

Example 1 – New assignment policy using ECP

First we will create a new assignment policy, in Outlook Web App choose Options and then See All Options.

rbac3

In ECP, click on Manage Myself and choose My Organization.

rbac4

To view the Assignment Policies click on Roles & Auditing and then User Roles. Click on New to start creating a new policy.

rbac18

Start with entering a name for the assignment policy, Profile information for my example.

rbac19

We are going to add roles to control Profile information for the user. Check MyProfileInformation, this will also check the roles MyDisplayName and MyName.

rbac20

Also make sure that you check MyBaseOptions, this enables the users to use ECP.

rbac22

More information on built in management roles can be found here:
http://technet.microsoft.com/en-us/library/dd638077.aspx

Click on Save to create the assignment policy.

rbac21

Example 2 – Change the Assignment Policy on a Mailbox

The next step in this scenario is to change the assignment policy on a mailbox. Open EMC and navigate to Recipient Configuration and Mailbox. Right click on the mailbox you want to change and choose properties.

Click on the tab Mailbox Settings, select Role Assignment Policy and click properties.

rbac23

Click on Browse, this opens a new dialog window.

rbac24

Select the Assignment Policy you want to change to and then click Ok.

rbac25

Check that the correct Assignment Policy is listed and then click Ok.

rbac26

Click Ok to close the mailbox properties window. You now have the correct Assignment Policy applied on the mailbox and this should have immediate effect on the mailbox.

That is all for this time, I hope that you find the examples useful and if you have any ideas on other examples you would like me to include in this post just let me know. And as usual, if you find any errors or have any further questions do not hesitate to post a comment. Thanks for reading!

Part 1 in this series can be found here!

Part 2 in this series can be found here!

Part 3 in this series can be found here!

What’s this RBAC in Exchange Server 2010 anyway? – Part 2

This is part two in my series of posts about Role Based Access Control. Again, if you find an error of any sort, have any questions or thoughts about it please do not hesitate to drop a comment or contact me. And don’t be afraid to do, I’m not as much of a loony as you might think…

We will jump directly into Management Role Scopes, continue with Management role groups and finish off with Management Role Assignment Policies.

Management Role Scopes

A scope makes it possible for you to define the impact of a role assignment. It enables control over which objects in your organization that the users can access and manipulate. There are a number of different scopes that you can define when adding roles to a role group. These scopes must be defined before you use them in a role group assignment. All roles have management scopes and they can be one of the following two:

Regular

A regular scope determines where, in Active Directory, objects can be modified by users assigned to the management role. As a basic rule you can say that a management role determines what you can modify and a role scope determines where you can modify.

Exclusive

This type of scopes behaves almost the same as a regular scope but with exclusive you can also deny user access to specific objects.

Implicit scopes

implicit scopes are the default scopes predefined in Exchange Server 2010. They can be inherited from a management role or you can define which scope to use. More information about implicit scopes here: http://technet.microsoft.com/en-us/library/dd335146.aspx#ImplicitScopes

Explicit scopes

Explicit scopes are set by you and enables you to control which objects a management role can modify. These can be one of the following.

Relative Scopes

Predefined relative scopes for easy management. There are three of different relative scopes:

  • Organization – The role can create or modify recipient objects across the Exchange organization.
  • Self – The role can modify only the properties of the current user’s mailbox.
  • MyDistributionGroups – The role can create or modify distribution list objects owned by the current user.

Custom Scopes

Scope’s that that you can create and modify yourself. This is a powerful way of defining the scope for a management role on a granular level. For example, you can define an Organizational Unit, a recipient and much more. The scope is created using the New-ManagementScope command. More information on this can be found here: http://technet.microsoft.com/en-us/library/dd638110.aspx

Management Role Groups

Management role group is in fact universal security groups (USG). They are used to simplify the assignment of management roles enabling you to add permissions for multiple users at the same time. All members of a management role group will have the same rights and are assigned the same set of roles

Role group layers

Microsoft has implemented a model consisting of layers that makes it quite easy to understand how role groups work. The model includes the following layers:

  • Role holder – A role holder is a mailbox that is a member of a role group. All assignments of management roles applied to a role group will affect the member mailbox, Role Holder, when the mailbox is added to a group.
  • Management role group – Eniversal security groups (USG) used when assigning permissions for multiple mailboxes.
  • Management role assignment – Assignments is the link between management roles and management groups. When you assign a role to a group, all members in that group will be granted the included permissions. Role assignments can be both scoped and un-scoped.
  • Management role scope – The impact on a role assignment when you assign a role with a scope to a role group. Can consist of recipients, OU’s or servers.
  • Management role – Management Role entries grouped together forms a Management Role. Roles define the tasks that can be performed by the members of a role group.
  • Management role entries – Individual entries that can provide access to cmdlets, scripts, and special permissions. Can be a single cmdlet and its parameters.
Assigning roles to a role group

After you have decided the scope you want to use in your role assignment you can proceed to add the role to a role group. First, here is how to create a role assignment with no scope:
New-ManagementRoleAssignment -Name <assignment name> -SecurityGroup <role group name> -Role <role name>

If you want to create a role assignment using a predefined scope:
New-ManagementRoleAssignment -Name <assignment name> -SecurityGroup <role group name> -Role <role name> -RecipientRelativeWriteScope < MyGAL | MyDistributionGroups | Organization | Self >

And if you want to use a custom filter-based scope:
New-ManagementRoleAssignment -Name <assignment name> -SecurityGroup <role group name> -Role <role name> -CustomConfigWriteScope <role scope name>

Management role assignment policies

Management Roles Assignment policies consist of one or more user management roles. This is used to control the end-users permissions to manage their personal Exchange Server 2010 mailbox and distribution group configuration.

Default Role Assignment Policy

There are two types of policies in Exchange Server 2010, Default and Explicit. If a role assignment policy is not assigned to a new mailbox the default role assignment policy kicks in and provides users with a set of basic and common permissions. A role assignment policy can be applied to a user’s mailbox with either the New-Mailbox or Enable-Mailbox command.

You can also define your own role assignment policy as a default policy. This is done using the Set-RoleAssignmentPolicy command. Doing so will apply the new default role assignment policy to all new mailboxes, not the current one already created. You can also change the default role assignment policy, this is not something I recommend since it is good to have for reference and as a backup if you need to remove your own policy.

To apply a new policy to a mailbox you must use the Set-Mailbox cmdlet, this updates the mailbox with the new setting.

Explicit Role Assignment Policy

When you assign a role assignment policy manually using the RoleAssignmentPolicy parameter on the New-Mailbox, Set-Mailbox, or Enable-Mailbox cmdlets this policy is called an explicit role assignment policy.

That’s it for this time!

In part 3 of this series I will give you examples, examples and more examples. I’m doing my best to get it done as soon as possible and it will be ready in a couple of weeks. Thanks for reading, and as always just let me know if you have any thoughts or questions!

Part 1 in this series can be found here!

Part 2 in this series can be found here!

Part 3 in this series can be found here!

What’s this RBAC in Exchange Server 2010 anyway? – Part 1

This is part one in my series of posts about Role Based Access Control. If you find an error of any sort, have any questions or thoughts about it please do not hesitate to drop a comment or contact me.

Role Based Access Control is the new way of handling user rights in Exchange Server 2010. Before RBAC you had to work with ACL and it could be quite tricky and hard to troubleshoot. With RBAC you can set wide or very specific rights for both administrators and end-users, enabling you to have more detailed control. You can set both administrative rights in Exchange server 2010 and you can give users the right to administer their own mailbox and distribution groups. First, let´s just take a look on the different components that RBAC consists off:

Component Explanation
Role holder Mailbox that is assigned to a role group
Management role group Universal security group for managing Exchange Server permissions
Management role Container for grouping other RBAC components
Management role entry Defines which Exchange Server cmdlets an administrator can run
Management role assignment Links the management role group to a management role
Management role scope Defines where the administrator can perform the tasks

There are two primary ways of assigning permissions to users, management role groups and management role assignment policies. We will start by looking at Management Roles, Management Role Entries and Management Role Types, they are fundamental to groups and policies.

Management Roles

Management roles is a way to logically group a number of cmdlets which makes it easier to identify the specific roles an administrator or user should have access to. One role can provide access to view or modify the configuration of Exchange 2010 components. For example mailboxes, transport rules, ActiveSync policies and recipients. These roles can be grouped together in to management role groups and management role assignment policies. We will look more at these two further on. Management roles can be assigned to role groups, role assignment policies and directly to users. The latter is not recommended though, assigning roles directly to users will most likely make you environment unnecessarily complex to administrate.

NOTE: End-user management roles can only be added to role assignment policies, not management role groups.

Built-in management roles

There is a large number of pre-made built-in management roles that will be enough for most scenarios and covers a lot of different areas of Exchange Server 2010. These roles can’t be changed or altered in anyway. You can however create your own management roles and include the built-in ones. A new management role can be changed but that is an advance procedure and not recommended. I will not cover that topic in this post but might add it later.

There are a large number of built-in management groups, here are some examples:

  • Mail Recipient Creation Role – Enables the right to create mailboxes, mail users, mail contacts, distribution groups, and dynamic distribution groups
  • Move Mailboxes Role – enables administrators to move mailboxes between servers
  • Databases Role – enables the right to create, manage, mount, and dismount mailbox and public folder databases

A complete list of roles can be found here: http://technet.microsoft.com/en-us/library/dd638077(printer).aspx

Management Role Types

Management Role types defines the scope for management roles. It is divided into 3 different categories:

  • Administrative or specialist – Has a broad impact in the Exchange organization, Roles of this role type enable tasks such as server or recipient management, organization configuration, compliance administration, and auditing.
  • User-focused – User specific scope, enables user oriented tasks such as user profile configuration, self-management and management of user-owned distribution groups.
  • This type enables tasks such as application impersonation and the use of non-Exchange cmdlets or scripts.

There are numerous types to choose from, a couple of examples follow:

  • Databases – This role type is associated with roles that enable administrators to create, manage, mount, and dismount mailbox and public folder databases on individual servers. This type affects specific servers.
  • MailTips – Associated with roles that enable administrators to manage mailtips, affects the entire Exchange organization.

Unscoped Top Level Management Roles

With the use of Unscoped Top Level Management Roles you can control access to custom scripts and non-Exchange cmdlets for users. Since these rules have no parents that defines its content it is called Top Level and considered equal to built-in management roles. Unscoped roles always enable the user to do organization wide configurations. Granting a user this access will give him or her access to any object in the Exchange Server 2010 organization. These roles should be used with caution but they can be very useful. For example, you can create a script and include it in a role. When you assign that role to a user, he or she will be able to perform only the specific functions provided by the script.

Create an Unscoped Role

To create a new Unscoped Role:
New-ManagementRole <name of new role> –UnscopedTopLevel

Management Role Entries

Entries are the basic part of a Management Role. It is included in every role, without entries there would be no roles. An entry can be a cmdlet, permission or a script that you want to include in a role. Entries can be added or removed depending on what type of role you are editing. To add a script you need to use the previously mentioned Custom Management Role.

View Role Entries

To view a list of role entries on a specific role:
Get-ManagementRoleEntry <role name>\*

If you want to view the details of a single role entry:
Get-ManagementRoleEntry <role name>\<cmdlet name> | FL

There are plenty of more variations of the Get-ManagementRoleEntry command and information on this can be found here: http://technet.microsoft.com/en-us/library/dd351179.aspx

Add a Role Entry to a Role

To add entries to a role use this command:
Add-ManagementRoleEntry <child role name>\<cmdlet>

Again, there is more information that can be found here: http://technet.microsoft.com/en-us/library/dd335180.aspx

Change a Role Entry

To add parameters to a role entry use this command:
Set-ManagementRoleEntry <role name>\<cmdlet> -Parameters <parameter 1>, <parameter 2>, <parameter…> -AddParameter

To remove parameters from a role entry:
Copy Code Set-ManagementRoleEntry <role name>\<cmdlet> -Parameters <parameter 1>, <parameter 2>, <parameter…> -RemoveParameter

More information here: http://technet.microsoft.com/en-us/library/dd298005.aspx

Remove a Role Entry from a Role

You can of course remove an management role entry from a role:
Remove-ManagementRoleEntry <management role>\<management role entry>

And there is of course more information to this as well: http://technet.microsoft.com/en-us/library/dd297947.aspx

Custom Management Roles

When the built-in management roles aren’t enough you can create and configure custom management roles. These are based on built-in management roles and inherit all parent entries. You can change a custom management role to match your specific needs by removing inherited entries. Note that you can only use inherited entries. You cannot add other specific entries to a custom management role. I would not recommend the use of custom management roles unless it is absolutely necessary, they are quite complex. Built-in management roles will be enough for most scenarios.

Create a Custom Management Role Management Role Entry

Entries are the basic part of a Management Role. It is included in every role, without entries there would be no roles. An entry can be a cmdlet, permission or a script that you want to include in a role. Entries can be added or removed depending on what type of role you are editing. To add a script you need to use the previously mentioned Custom Management Role.

Unscoped Top Level Role Entries

When used with a Custom Management Role, an entry is called Unscoped Top Level Role Entry. There are a couple of things to consider when creating these entries.

  • All parameters for the entries needs to be specified, Exchange will try to verify these. Only specified Parameters will be available to the users.
  • Remember to update the role manually if you change any of the entries. Exchange does not update the role.
  • All scripts must be placed in the Exchange 2010 scripts directory (Default: C:\Program Files\Microsoft\Exchange Server\V14\Scripts).
  • Remember to install all Non-Exchange cmdlets on all servers. Also remember to add the Windows PowerShell snap-in name for the cmdlet.

Management Roles Summary

Management roles can be divided in a number of different parts:

  • Built-in Management Roles – represents a number of predefined roles that cannot be changed. Will cover most needs
  • Unscoped Top Level Management Roles – Controls access to custom scripts, permissions and non-exchange cmdlets, always organization wide.
  • Custom Management Roles – Based on Built-in Management Roles, inherited entries can be removed.

We also have two types of entries:

  • Management Role Entries – Included in every role, can be a cmdlet, permission or a script.
  • Unscoped Top Level Role Entry – Define all parameters, manual role update after changes.

Last but not least:

  • Management Role Types – Defines the affecting scope for management roles, three descriptive categories.

In my next post I will continue with Scopes, Management Role Groups and Management Role assignment Policies, thanks for reading!

Part 1 in this series can be found here!

Part 2 in this series can be found here!

Part 3 in this series can be found here!